infantex Posted June 11, 2022 Posted June 11, 2022 Hi all. My account was moved to Plesk. Right now my main site is hosted on a VPS and its nameservers are managed by Cloudflare. I am getting emails from Plesk stating that it failed to secure my domains with Let's Encrypt. I don't know if this is due to my Let's Encrypt certificates are managed by Cloudflare. What would be better, let Cloudflare continue to manage the Let's Encrypt certificates or have Plesk manage them? Which settings should I move in either case? I have the following domains: infantex.com.mx (main) infantex.mx (alias for infantex.com.mx) zaldivar.mx (add-on domain?) Please note that both infantex.com.mx and zaldivar.mx's DNSs are managed by Cloudflare, infantex.mx's not. Also infantex.com.mx website is currently in a Heliohost VPS. zaldivar.mx has no website, only email services and is also managed by the VPS (via HestiaCP). infantex.com.mx mail is managed by a free G Suite Legacy account... which I will need to change since Google will discontinue that service this month. Thanks in advance for your help. Regards,
Krydos Posted June 11, 2022 Posted June 11, 2022 There's many different ways to configure things that will work, but what I recommend is: Use a hosts file to make your browser think that your domains are hosted on 65.19.141.77 (Plesk), and then make sure all your domains are working correctly on Plesk. With the hosts file only your computer will think the domain is on Plesk, and the rest of the world will continue getting your website from the VPS. Then when everything is working correctly on Plesk log in to Cloudflare and change the A record from 65.19.141.197 to 65.19.141.77. This will make everyone's computers go to Plesk when they go to your domain. I recommend continuing to use Cloudflare for now because the DNS connection in Plesk isn't fully working yet so if you switch to our nameservers an admin will have to make changes for you. If you continue to use Cloudflare you can make the changes yourself and save us some work. If you're using Cloudflare's DNS you can use their SSL too. For mail you'll want to make an MX record in Cloudflare pointed to 65.19.141.77 if you want the emails to go to Plesk. You'll need to copy/paste the DKIM that Plesk provides and the SPF value mentioning Plesk's IP into Cloudflare to make your email sending work though because you'll have terrible spam scores without them. Let us know if you need help with any of that.
infantex Posted June 14, 2022 Author Posted June 14, 2022 OK. I added the line: 65.19.141.77 infantex.com.mx into my host file. In fact, it's the only uncommented line in the file. After doing this, when I tried to access infantex.com.mx, I received a NET::ERR_CERT_AUTHORITY_INVALID error. Suggested solutions included using incognito mode (didn't work) and temporarily turning off the antivirus (still received the error but got the option to load the page anyway). It loaded but with a warning: The address bar shows: "Not safe" and "https" appears in red and strikethrough. I guess that's due to the Let's Encrypt certificates not being issued by Plesk. How do I get the certificates from Cloudflare to Plesk and how can I automate it (I understand Cloudflare is renewing the Let's Encrypt certificates every three months). Regards,
Krydos Posted June 15, 2022 Posted June 15, 2022 You can only issue SSL if you change the A record. The whole point of the hosts file is to test your site before you transfer the A record over. If you don't want to test your site first you can just skip the hosts file entirely and edit the A record.
infantex Posted June 15, 2022 Author Posted June 15, 2022 OK. The site seemed to be working fine when I made the test with the edited hosts file. The only issue being the safety warnings. So, I went ahead and changed the A record on Cloudflare. All seems to be working fine. I'll check again tomorrow to let the DNS change propagate. I'll look into zaldivar.mx's email next.
infantex Posted June 28, 2022 Author Posted June 28, 2022 I had some time to try and setup zaldivar.mx's email in Plesk. I tried to log into HestiaCP to check the mailboxes' user names, aliases, etc. But got both and unsecure server error and a internal server one (500): How can I fix this? Regards,
Krydos Posted June 28, 2022 Posted June 28, 2022 It looks like Hestia locked up, and couldn't restart. I logged in to your VPS and ran the commands sudo kill 285478 sudo systemctl restart hestia Your login page on port 8083 appears to be working now. Let us know if you have any other issues.
infantex Posted July 13, 2022 Author Posted July 13, 2022 I couldn't configure the email for zaldivar.mx. Here're the DNS records in Cloudflare: I copied the DKIM and default._domainkey records from Plesk into Cloudflare. Also, the SPF record includes only Plesk's IP (65.19.141.77). I can login using the web interface (webmail.zaldivar.mx) and I verified I could receive mail into one of the accounts (jorge@zaldivar.mx). But I cannot retreive such mail using POP. I use the following settings: Username: jorge@zaldivar.mx POP server: zaldivar.mx Port: Tried both 110 and 995 Always use SSL: Tried both Yes and No For the port and SSL options I tried the four combinations (110/no SSL, 995/SSL, 110/SSL and 995/no SSL). The error I get is "connection timed out". What am I doing wrong? Also, the only options available for SSL/TSL certificate for mail (and webmail) are "Not selected". How can I enable SSL for email? Regards,
Krydos Posted July 13, 2022 Posted July 13, 2022 Cloudflare is the problem. When your mail client tries to connect to SMTP or IMAP it's looking at the A record for zaldivar.mx and it gets 172.67.139.59 and 104.21.79.5, and then it tries to connect to port 995 or 465 or whatever on those Cloudflare servers and it times out. There's a few easy ways to fix it. I recommend just typing tommy2.heliohost.org into your mail client rather than zaldivar.mx. That's the easiest way to make it work. The other option if you really need to hide the server that you're on is you could create a subdomain like smtp.zalivar.mx and imap.zaldivar.mx or mail.zaldivar.mx or whatever and have Cloudflare give 65.19.141.77 as the A record. The third option is to switch to ns1.heliohost.org and ns2.heliohost.org instead of using Cloudflare, but then you would have to make a support request each time you needed your DNS changed. Eventually we will implement the ability to edit DNS records on your own.
infantex Posted July 13, 2022 Author Posted July 13, 2022 (edited) Thanks, Krydos. I opted to create a mail.zaldivar.mx A record pointed to 65.19.141.77 as per your second suggestion... When doing that, I second guessed and thought: "How is this different to using plain zaldivar.mx as the POP server, which is also an A record pointed to the same IP?" But since that was your recommendation, I went ahead, added the record and, additionally, disabled Cloudflare's proxy service for that record (perhaps the IPs you detected were the proxy's?). Anyways, it worked (at least for POP, I'll check SMTP later). However, I couldn't get a secure connection: I had to disable "Always use SSL" and change to port 110. Since I would like to have secure connections, I changed the POP server to tommy2.heliohost.org, but got the exact same results: Using SSL and port 995: Unable to make a secure connection (I'm translating, the actual message is in Spanish) Using no SSL and port 995: Connection timed out Using no SSL and port 110: Works How can I enable SSL for mail in Plesk? As a reminder, I get my Let's Encrypt certificates from Cloudflare. Regards, Update: I was unable to set a secure SMTP configuration, same results using mail.zaldivar.mx or tommy2.heliohost.org as SMTP servers: Secure connection using TSL and port 587: Unable to connect to server. Secure connection using TSL and port 25: Authentication failed, bad username or password. Secure connection using TSL and port 465: Unable to connect to server. Secure connection using SSL and port 587: Unable to connect to server. Secure connection using SSL and port 465: Authentication failed. Secure connection using SSL and port 25: Unable to connect to server. Unsecure connection and port 25: Success. Edited July 13, 2022 by infantex Added SMTP configuration results
Krydos Posted July 13, 2022 Posted July 13, 2022 Not being able to connect to IMAP, and SMTP on the tommy2.heliohost.org domain was my fault. Apparently the server was using a self-signed certificate. I set up email with a real SSL certificate and now it should work. SMTP host: tommy2.heliohost.org SMTP port: 465 SMTP SSL/TLS: on IMAP host: tommy2.heliohost.org IMAP port: 993 IMAP SSL/TLS: on
infantex Posted July 13, 2022 Author Posted July 13, 2022 Great! Thank you, Krydos. I was now able to set up secure connections both for POP and SMTP. I did have to use tommy2.heliohost.org as server, though. Using my domain resulted in errors (mail.zaldivar.mx not in tommy2.heliohost.org SAN list or something like that for POP, and zaldivar.mx does not match server name for SMTP). Also, I used port 995 for POP because I received an error when trying to use 993. Just so you know. Is there a way not to have to use tommy2 as server? For the zaldivar.mx domain is not an issue, but I'll have to tranfer the emails for infantex.com.mx to Plesk from G Suite Legacy, since they're terminating it... Although, that may not be an issue either. I mean, the mail servers are currently Google's, not Infantex's, anyway. So knowing whether it would be possible not to use tommy2 as server will be just a matter of curiosity. Regards,
Krydos Posted July 13, 2022 Posted July 13, 2022 21 minutes ago, infantex said: I used port 995 for POP because I received an error when trying to use 993. 993 is IMAP. I prefer IMAP because you get your emails quicker. 21 minutes ago, infantex said: Is there a way not to have to use tommy2 as server? Yeah, use ns1.heliohost.org and ns2.heliohost.org or turn off proxying in Cloudflare.
infantex Posted July 13, 2022 Author Posted July 13, 2022 2 hours ago, Krydos said: 993 is IMAP. I prefer IMAP because you get your emails quicker. I'm using GMail and it doesn't support using IMAP to read emails from other accounts. I kind of remember that many years ago IMAP was supported, doesn't seem to be the case any longer, so POP will do. 2 hours ago, Krydos said: Yeah, use ns1.heliohost.org and ns2.heliohost.org or turn off proxying in Cloudflare. I think you refer to using them as DNS, in which case, you'd have to change them yourselves in case of need, so it'd not be practical. If you refer to using one of them in place of tommy2.heliohost.org as email servers (I don't really think you mean that), there'd be really no point. As for turning off proxying in Cloudflare, I'd already tried that and it didn't work. I got errors because the certificate was for a different domain (tommy2.heliohost.org instead of mail.zaldivar.mx). But, no problem, everything seems to be working fine with tommy2 as email server. One problem I do have, kind of related to email, is that I have a contact form (https://infantex.com.mx/contacto.php) that's supposed to send email to contacto@infantex.com.mx and it's not been working since I moved back from the VPS to Tommy. I get no errors but neither receive any emails (I already checked the spam folder and they're no there either). Any suggestions as to how can I start to look into this erroneous behavior? Regards,
Krydos Posted July 14, 2022 Posted July 14, 2022 Here's the log for your contact form. Jul 14 02:38:20 tommy2 plesk-sendmail[48064]: S48062: py-limit-out: stderr: INFO:__main__:Setting 'X-PPP-Vhost' header to 'infantex.com.mx' Jul 14 02:38:20 tommy2 plesk-sendmail[48064]: S48062: py-limit-out: stderr: PASS Jul 14 02:38:21 tommy2 plesk-sendmail[48064]: S48062: check-quota: stderr: SKIP Jul 14 02:38:21 tommy2 postfix/pickup[44550]: 23602401FAEE: uid=10183 from=<infantx@infantex.com.mx> Jul 14 02:38:21 tommy2 postfix/cleanup[45317]: 23602401FAEE: message-id=<1ae95ef6ce2de4bc3179c9c8515f7197@infantex.com.mx> Jul 14 02:38:21 tommy2 postfix/qmgr[28715]: 23602401FAEE: from=<infantx@infantex.com.mx>, size=2985, nrcpt=1 (queue active) Jul 14 02:38:21 tommy2 postfix-local[48103]: 23602401FAEE: from=<infantx@infantex.com.mx>, to=<infantx@infantex.com.mx>, dirname=/var/qmail/mailnames Jul 14 02:38:21 tommy2 spamd[9978]: spamd: connection from localhost.localdomain [::1]:40948 to port 783, fd 6 Jul 14 02:38:21 tommy2 spamd[9978]: spamd: using default config for infantx@infantex.com.mx: /var/qmail/mailnames/infantex.com.mx/infantx/.spamassassin/user_prefs Jul 14 02:38:21 tommy2 spamd[9978]: spamd: processing message <1ae95ef6ce2de4bc3179c9c8515f7197@infantex.com.mx> for infantx@infantex.com.mx:30 Jul 14 02:38:21 tommy2 spamd[9978]: spamd: clean message (0.2/7.0) for infantx@infantex.com.mx:30 in 0.4 seconds, 3064 bytes. Jul 14 02:38:21 tommy2 spamd[9978]: spamd: result: . 0 - HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,NO_RELAYS,T_SCC_BODY_TEXT_LINE scantime=0.4,size=3064,user=infantx@infantex.com.mx,uid=30,required_score=7.0,rhost=localhost.localdomain,raddr=::1,rport=40948,mid=<1ae95ef6ce2de4bc3179c9c8515f7197@infantex.com.mx>,autolearn=no autolearn_force=no Jul 14 02:38:21 tommy2 postfix-local[48103]: 23602401FAEE: spam: stderr: PASS Jul 14 02:38:21 tommy2 dk_check[48118]: 23602401FAEE: DKIM Feed: No signature Jul 14 02:38:21 tommy2 postfix-local[48103]: 23602401FAEE: dk_check: stderr: PASS Jul 14 02:38:21 tommy2 dmarc[48119]: 23602401FAEE: SPF record was not found in Authentication-Results Jul 14 02:38:21 tommy2 dk_check[48118]: 23602401FAEE: DKIM Feed: No signature Jul 14 02:38:21 tommy2 postfix-local[48103]: 23602401FAEE: dk_check: stderr: PASS Jul 14 02:38:21 tommy2 dmarc[48119]: 23602401FAEE: SPF record was not found in Authentication-Results Jul 14 02:38:21 tommy2 dk_check[48118]: 23602401FAEE: DKIM Feed: No signature Jul 14 02:38:21 tommy2 postfix-local[48103]: 23602401FAEE: dk_check: stderr: PASS Jul 14 02:38:21 tommy2 dmarc[48119]: 23602401FAEE: SPF record was not found in Authentication-Results Jul 14 02:38:21 tommy2 dmarc[48119]: 23602401FAEE: DMARC: smtpdomain=infantex.com.mx maildomain=thankyou.com mailfrom=no@thankyou.com stamp=1657766301 ip=unknown adkim=relaxed aspf=relaxed p=REJECT sp=UNSPECIFIED pct=100 align_dkim=fail align_spf=fail spfres=unknown dkimres=unknown dmarccheck=DMARC_POLICY_REJECT dmarcstatus=STOP Jul 14 02:38:21 tommy2 postfix-local[48103]: 23602401FAEE: dmarc: stderr: STOP Jul 14 02:38:21 tommy2 postfix-local[48103]: message discarded by a mail handler Jul 14 02:38:21 tommy2 postfix/pipe[47528]: 23602401FAEE: to=<infantx@infantex.com.mx>, orig_to=<info@infantex.com.mx>, relay=plesk_virtual, delay=0.69, delays=0.06/0.01/0/0.62, dsn=2.0.0, status=sent (delivered via plesk_virtual service) Jul 14 02:38:21 tommy2 postfix/qmgr[28715]: 23602401FAEE: removed Your SPF is "v=spf1 include:_spf.google.com ~all" which doesn't include 65.19.141.77, so since Tommy isn't authorized to send emails the message is discarded. You can fix this by allowing Tommy to send emails for your domain.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now